Encryption in the Balance: 2015 in Review

If you’ve spent any time reading about encryption this year, you know we’re in the midst of a “debate.” You may have also noted that it’s a strange debate, one that largely replays the same arguments made nearly 20 years ago, when the government abandoned its attempts to mandate weakened encryption and backdoors. Now some parts of the government have been trying to revisit that decision in the name of achieving “balance” between user security and public safety. The FBI, for example, acknowledges that widespread adoption of encryption has benefits for users, but it also claims its investigations of terrorists, criminals, and other wrongdoers will “go dark” unless it has a legal authority and the technical capability to read encrypted data. But because the principles of what makes encryption secure haven’t changed, the only “balance” that can satisfy the government’s goals is no balance at all—it would require dramatically rolling back the spread of strong encryption.

One of the biggest proponents of a “balanced” solution to the so-called Going Dark problem is FBI Director James Comey. At hearings in July and again this month, Comey has claimed that because some companies offer non-end-to-end encrypted communications tools, that’s proof that there is a way to achieve both user security and law enforcement access. He’s been backed up by the Washington Post editorial board and state and local law enforcement officials who all call on geniuses in Silicon Valley to “figure out” the balance.

The problem is that they don’t seem to have listened to the geniuses.

In fact, pushing back on the other side of this debate is a unified coalition of technologists, mega technology companies, and privacy advocates with a remarkably consistent message: weakening encryption is a terrible idea.

First up was an all-star group of cryptography experts who argued against government mandates for theClipper Chip in the 90’s and reconvened topublish a paper in July rigorously analyzing a number of possible legislative mandates. As before, they concluded that inclusion of key escrow code that would siphon off key material to any third party would necessarily increase code complexity, in turn increasing the likelihood of security vulnerabilities and putting users at increased risk. They also noted that any organization (or set of organizations, withsplit-key schemas) holding "golden key" access to consumer devices would be a huge target for hackers. As recent compromises of such sensitive data as the employee records and fingerprints for5.6 million government employees stored by the Office Of Personnel Management show, centralized high-risk databases can become targets for compromise.

What has changed since the initial report is the scale of encrypted communications that we rely on in our daily lives—from online transactions and HTTPS to device encryption and consumer security systems. A compromise in the 90s would have been very bad, but today it would be absolutely devastating. Finally, the experts point out important international governance questions that would have to be answered along with any mandate. Chief among these questions is whether encryption apps developed in the U.S. but intended for use in despotic regimes would be subject to similar key escrow systems based in those regimes. The intelligence community has offered no answers to these problematic looming questions. Nor have they explained how they could regulate the sizable number of open source and/or international encrypted apps.

Meanwhile, many of the biggest tech companies have also taken strong pro-encryption stances. Perhaps most noteworthy is Apple, which fought back against a court order demanding that it turn over communications by users of their iMessage app. Apple responded that the iMessage platform protects users with strong, end-to-end encryption, so Apple could not decrypt existing messages and was unwilling to jeopardize the security of its customers by building in a backdoor to compromise future communications. The government eventually backed off, but only after Apple delivered unencrypted iCloud backups of some of the messages in question. Apple CEO Tim Cook hasvociferously opposed any new backdoor mandates, echoing cryptography experts with the statement "you can’t have a back door that’s only for the good guys."

Google, which has made full-disk encryptionmandatory for smartphones running Android Marshmallow, joined Apple as well as over 140 other organizations and individuals (including EFF) in ajoint letter delivered to President Obama in late May urging the administration to reject any proposal weakening the security of their products.

More recently, the Information Technology Industry Council, a tech trade association of the 62 largest global tech firms, issued anews release explaining that encryption "is a security tool we rely on everyday to stop criminals" and "preserve our security and safety," concluding that "weakening security with the aim of advancing security simply does not make sense."

Save Crypto

Above all, individual Americans don’t want the government to have backdoor access to their communications, and EFF has been working to help the government hear that message. On September 30, along with Access Now , we launchedSaveCrypto.org as a way to let the public have its voice heard. Over 104,000 people signed on to a statement rejecting "any law, policy, or mandate that would undermine our security" and demanding "privacy, security, and integrity for our communications and systems"— enough to warrant an official public response by the White House. Despite the president’s support for “strong encryption,” the White House’s initial response to the petition was underwhelming.

In the midst of this action, a series of leaks to the Washington Post revealed that the Obama administration won’t seek legislation for now. (Though that hasn’t stopped Manhattan District Attorney Cy Vance from introducing his own deeply flawedmodel bill.) But statements by Comey and others suggest the government will instead try to privately pressure companies to weaken their own products. That’s an even worse outcome, so we’ll keep putting the pressure on the administration in 2016 to publicly disavow this approach and come out with the unequivocal defense of encryption the petition asked for in the first place.

This article is part of our Year In Review series; read other articles about the fight for digital rights in 2015. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.

Related Updates

Law enforcement access to data is in the middle of a profound shake-upacross the globe. States are pushing to get quicker, deeper, and more invasive access to personal data stored on the global Internet, and are looking to water down the international safeguards around privacy and due...

California Governor Gavin Newsom, in his first State of the State Address, called for a “Data Dividend” (what some are calling a “digital dividend”) from big tech. It’s notyetclear what form this dividend will take. We agree with Governor Newsom...

EFF joined a letter to Secretary of State Mike Pompeo opposing a proposal to deploy stronger vetting procedures against Chinese students intending to study in the United States because the procedures would threaten the free speech interests of both Chinese students and their American associates. Reuters...

The way we design user interfaces can have a profound impact on the privacy of a user’s data. It should be easy for users to make choices that protect their data privacy. But all too often, big tech companies instead design their products to manipulate users into surrendering their data...

France’s data protection authority is first out the gate with a big decision regarding a high-profile tech company, and every other enforcer in Europe is taking notes. On January 21, France’s CNIL fined Google 50 million Euros for breaches of the General Data Protection Regulation (GDPR)...

Imagine this: an enormous tech company is tracking what you do on your phone, even when you’re not using any of its services, down to the specific images that you see. It’s also tracking all of your network traffic, because you’re installing one of its specially-designed routers. And even though...

Since even before he took office, President Trump has called for a physical wall along the southern border of the United States. Manydifferentorganizations have argued this isn’t a great idea. In response, some Congressional Democrats have suggested turning to surveillance...